Turning off client portal woes

Running on nginx with InvoiceNinja being the only virtual web site on this host, I have set REQUIRE_HTTPS=true and turned Client Portal off. If I go to https://invoice.example.com/client/ I rightfully get a “section turned off by admin”. If I instead go to (where is a placeholder for my real IP) I get a certificate warning, and after adding an exception I get to the client portal login page.

While I’m at it: Opening gets me to the admin console. If I log in this way I end up in the admin console, I see my company in the company selector in the top left corner, but without the logo and I also don’t see the logo in Settings → Company Details → Logo. Seems like the logo is somehow tied to the URL. (If I log in the regular way via the hostname, the logo is still there.)

Granted, the IP-address-trick working means there is potential for improving the web servers config, but hey … :slight_smile:


Thanks for reporting this!

cc @david @ben

1 Like

Yeh, I’m not sure there is much the app can do in this circumstance. We rely on a correctly configured webserver.

My DNS service provides protection of my direct IP address automatically, so I cannot test this myself, but can you add to your NGINX conf file these lines, where invoice.example.com is your domain name:

 if ($host != "invoice.example.com") {
    return 301 https://invoice.example.com;

If you add this line anywhere in the NGINX server block listening on 443, it should force redirect any attempted connections into using the specified domain for access, regardless of what addressing they used before.

Note that you must reset NGINX service after the change to the conf file with

 systemctl restart nginx

If you can please verify that it does work. I assume it will, and I’ve added it to my notes now.


This works, but:

  • statements are order dependent and need to go before any other rewriting of the URL (you observed that already in your guide),
  • if I try to reach the client portal I get redirected to the admin portal instead.

I’d suggest to use something more generic, like.

if ($host != $server_name) {
    return 301 https://$server_name$request_uri;

Hmm, I don’t want to be the wise guy, but if I set a switch “client portal off” I’d consider it a bug if an attacker can circumvent this setting by simple URL manipulation.


You would be correct if Invoice Ninja was a single company service, however with Invoice Ninja , you can have ten companies under the one account. And we utilize the URL to assertain whether the client portal is on or off for the given company.

Hence if you server configuration allows access outside the bounds of the application, there isn’t much the application can do.